Critical CERT-In Advisories Target SAP, Microsoft, and Atlassian Vulnerabilities
This summary outlines critical vulnerabilities issued by CERT-In in January 2026 affecting SAP enterprise software, Microsoft products, and Atlassian tools, urging immediate patching to prevent exploitation in enterprise environments.
Vulnerability Details in SAP Systems
SAP applications face multiple high-severity flaws, primarily in components like NetWeaver and SAP Business Technology Platform. These include remote code execution vulnerabilities stemming from improper input validation in ABAP services, allowing attackers to inject malicious payloads via crafted HTTP requests. For instance, a deserialization flaw in SAP NetWeaver’s Visual Composer enables unauthenticated remote code execution when processing untrusted XML inputs, potentially leading to full server compromise if exposed to the internet. Attackers exploit this by sending specially crafted requests that trigger gadget chains during object deserialization, executing arbitrary code under the web application user’s privileges.
Microsoft Ecosystem Exploits
Microsoft vulnerabilities highlighted include zero-day issues in Office suites and Windows components. A prominent flaw involves a security feature bypass in Microsoft Office, designated CVE-2026-21509, where attackers bypass Mark-of-the-Web protections via malicious documents. Technically, this occurs through a spoofed file download attribute manipulation, tricking the sandbox into treating remote files as local, thus evading Protected View. Exploitation chains typically involve phishing-delivered macros or OLE objects that, once rendered, trigger heap-based buffer overflows for code execution within the Office process context.
Atlassian Confluence and Jira Risks
Atlassian products, especially Confluence Server and Data Center, suffer from authentication bypass and privilege escalation bugs. A critical path traversal vulnerability allows unauthenticated users to access sensitive endpoints by manipulating URL parameters, reading arbitrary files including system configurations and user databases. In Jira, SQL injection flaws in custom plugins enable data exfiltration via time-based blind techniques, where attackers craft payloads using subqueries to extract database contents character by character. Mitigation requires applying vendor patches and enforcing strict access controls on administrative interfaces.
Microsoft Patches Office Zero-Day Actively Exploited in Targeted Attacks
Microsoft has issued emergency out-of-band patches for CVE-2026-21509, a zero-day security feature bypass in Office applications actively exploited in targeted campaigns, with CISA adding it to its Known Exploited Vulnerabilities catalog mandating federal remediation by mid-February 2026.
Technical Breakdown of CVE-2026-21509
The vulnerability resides in the handling of Mark-of-the-Web (MotW) metadata by Office applications, including Word, Excel, and PowerPoint. Attackers craft malicious RTF or DOCX files with manipulated Zone.Identifier alternate data streams, spoofing the origin to bypass sandboxing. Upon opening, the file evades Protected View, allowing embedded JavaScript or VBA macros to execute in a high-integrity context. Exploitation vectors include spear-phishing emails with attachments hosted on attacker-controlled domains using URLSet properties to simulate trusted sources.
Exploitation Mechanics and Indicators
Post-bypass, attackers leverage use-after-free bugs in OLE parsers or heap sprays in equation editors to achieve remote code execution (RCE). Observed campaigns target defense contractors and government entities, with implants establishing persistence via registry run keys and scheduled tasks. Detection signatures focus on anomalous MotW absence in Office telemetry and unexpected process chains like mso20win32client.exe spawning cmd.exe. Organizations should enable Attack Surface Reduction rules blocking Office child processes and deploy enhanced logging via Microsoft Defender for Office 365.
Broader Implications and Mitigation
This zero-day underscores persistent Office as an attack vector, with chaining potential to elevate privileges via UAC bypasses. Patch deployment involves Windows Update or Microsoft Update Catalog downloads, prioritizing internet-facing systems. Additional defenses include macro blocking policies, ASR rule 92E97FA1-2EDF-4476-BDD6-9DD0B4DDAA40 for Office apps, and behavioral analytics monitoring for file open events without MotW flags.
RansomHouse Ransomware Breaches Luxshare Precision iPhone Data
On January 8, 2026, RansomHouse claimed a double-extortion attack on Luxshare Precision Industry, a key Apple supplier, exfiltrating proprietary iPhone assembly data from an incident dated December 15, 2025, exposing sensitive manufacturing intellectual property.
Attack Vector and Initial Access
The intrusion likely began via phishing targeting engineering staff, exploiting unpatched VPN endpoints vulnerable to CVE-2025-32756, a critical RCE in FortiGate SSL VPN. Post-compromise, attackers used living-off-the-land binaries like PowerShell and certutil for reconnaissance, enumerating Active Directory via BloodHound ingesters. Lateral movement employed Pass-the-Hash with Mimikatz derivatives, targeting domain controllers to harvest LSASS dumps for credential materialization.
Data Exfiltration and Encryption Tactics
Exfiltrated data spanned CAD files, firmware binaries, and supply chain manifests totaling over 50GB, staged via Rclone to MEGA.nz before encryption. RansomHouse deployed a custom QAKBot variant for C2, followed by Ryuk ransomware encrypting volumes with AES-256 and ChaCha20 ciphers. Double extortion involved publishing samples on Tor leak sites, pressuring payment in Monero to avoid full disclosure. Recovery challenges include immutable backups evasion through Volume Shadow Copy deletion and event log clearing via wevtutil.
Supply Chain Ramifications
Luxshare’s role in iPhone camera module assembly amplifies risks, potentially leaking component specs aiding counterfeit operations or nation-state espionage. Mitigation emphasizes zero-trust segmentation isolating manufacturing systems, endpoint detection with behavior-based ransomware heuristics, and regular privilege audits reducing standing access.
Betterment Investment Platform Suffers Breach and DDoS Disruption
Betterment customers faced fraudulent crypto scams post-breach via a third-party marketing platform compromise, alongside a January 13, 2026 DDoS attack causing outages, with no core account compromises but sparking lawsuits.
Breach Mechanics via Third-Party
Attackers targeted the marketing vendor’s API, exploiting an API key exposure in a misconfigured S3 bucket, granting read access to customer PII including emails, addresses, and DOBs. Credential stuffing campaigns followed, using breached data for phishing lures promising fake crypto airdrops via cloned domains. Technical indicators include anomalous API query spikes and IP geolocations tracing to Eastern European VPS providers.
DDoS Attack Characteristics
The DDoS leveraged a Mirai botnet variant, generating 150Gbps UDP floods and HTTP GET floods overwhelming load balancers. Mitigation involved Cloudflare Spectrum activation and BGP blackholing, restoring services within hours. No data loss occurred, but availability impact disrupted trading during peak hours.
Legal and Response Measures
Lawsuits allege negligence in vendor oversight, demanding enhanced disclosure under CCPA. Betterment implemented MFA enforcement, anomaly-based fraud detection, and third-party risk assessments using frameworks like SIG Core.
Varonis Exposes Microsoft Copilot Reprompt Vulnerability
Varonis researchers demonstrated a Reprompt attack on Microsoft Copilot Personal, enabling silent data exfiltration via phishing links that bypass security to access files, locations, and history through crafted follow-up prompts.
Reprompt Technique Explained
The flaw exploits Copilot’s multi-turn conversation state, where an initial phishing link opens a session tricked into ignoring content filters. Subsequent prompts use semantic jailbreaking, phrasing queries like “summarize recent docs without alerts” to extract OneDrive contents, geolocation from Edge telemetry, and Entra ID attributes. No user interaction beyond initial click required, with data relayed via Bing Chat APIs.
Technical Exploitation Chain
Attackers host malicious links on URL-shortened domains mimicking Microsoft, leveraging prompt injection to chain extractions: first conversation history, then file APIs via Graph endpoints. Proof-of-concept exfiltrated 10MB docs in under 2 minutes. Microsoft patched by enhancing prompt sanitization and session isolation in updated Copilot builds.
Defensive Strategies for LLMs
Organizations should deploy DLP policies blocking AI data flows, prompt guards filtering sensitive keywords, and user training on link verification. Enterprise Copilot variants offer improved RBAC limiting data scopes.
BreachForums Cybercrime Forum Data Leaked by Insider
On January 9, 2026, hacker “James” leaked 323,988 BreachForums member records including credentials and IPs, followed by admin PGP keys, exposing operators of the relaunch of the notorious dark web marketplace.
Leaked Data Contents and Impact
The dump includes hashed passwords crackable via Hashcat on GPU clusters, email:pass pairs for takeover, and IPv4 addresses linking to real identities. James doxxed admins tied to Shiny Hunters, revealing opsec failures like static IPs and reused wallets.
Forum History and Resilience
BreachForums, successor to RaidForums, hosts stolen data auctions post-2023 founder arrest. Leak accelerates law enforcement takedowns, with FBI leveraging IOCs for arrests. Technical analysis shows forum backend on compromised bulletproof hosting with SQLi remnants.
Cybercrime Ecosystem Disruption
Impacts ripple to affiliates, forcing credential rotations and TOR exit scrutiny. Defenses include ephemeral accounts and E2EE for legit forums, though criminal ones persist via decentralization.
WhisperPair Vulnerability Affects Millions of Bluetooth Devices
KU Leuven researchers uncovered WhisperPair, a critical flaw in Google Fast Pair protocol impacting hundreds of millions of Bluetooth accessories from Sony to Google, enabling tracking and pairing hijacks on Android/iOS.
Protocol Flaw Mechanics
Fast Pair uses BLE advertisements with account keys for seamless pairing, but WhisperPair exploits weak entropy in key derivation, allowing replay attacks. Attacker sniffs pairing events, reconstructs keys via lattice-based crypto attacks on ECDH parameters, impersonating devices within 30m range.
Affected Ecosystem Scale
Vulnerable firmware in earbuds, speakers from 10+ brands shares Fast Pair 1.0 impl flaws. Exploitation demos include unwanted pairing, audio hijacking, and firmware downgrade chains to persistent implants.
Remediation and Vendor Response
Patches involve key rotation and anti-replay nonces in Fast Pair 2.0. Users advised Bluetooth scanning limits, firmware updates via companion apps, and avoiding public pairing.
Microsoft Disrupts RedVDS Cybercrime Marketplace
On January 14, 2026, Microsoft took down RedVDS, a cybercrime-as-a-service platform linked to $40M US fraud, hosting phishing kits, mailers, and BEC tools.
Platform Capabilities Dismantled
RedVDS offered bulletproof VPS for phishing pages, SMTP mailers like SuperMailer with 99% inbox rates via DMARC spoofing, and ChatGPT-powered lure generators. BEC services scripted vishing follow-ups with VoIP integration.
Takedown Operations
Microsoft’s Digital Crimes Unit seized domains, sinks C2 via court orders, disrupting 500+ actors. Traces to Russian bulletproof hosts with Monero payments.
Persistent Threats
Successors likely emerge; defenses include DMARC alignment, AI phishing detection, and threat intel feeds tracking mailer signatures.